M2M and the Internet of Things: How secure is it?

Machine-to-machine technology looks set to take off, but are businesses running to it without considering the security aspects? We spoke to the industry about what security implications exist and how serious they are.

As interest in the "Internet of Things" phenomenon grows — the idea that almost everything will be connected to the internet and will provide data or control — so too has business' focus on machine-to-machine (M2M) technologies and communication. Like any emerging technology, however, M2M has a slew of security issues that businesses will have to deal with.

To highlight the security challenges ahead, ZDNet spoke with the representatives from Oracle, NetIQ, Check Point Australia, Palo Alto Networks, and Verizon Business.

Although the experts disagree on the exact number of "things" that will be connected to the internet, one fact is clear: it's going to be massive. Cisco is betting that by 2020, 50 billion devices will be connected to the internet. Gartner pointed to a figure closer to 30 billion, but that hasn't stopped the company from listing it among its top 10 strategic technology trends for 2012. Verizon has also listed it among its five key business-tech trends for 2013, and, through its recent acquisition of Hughes Telematics, is betting on the Asia-Pacific region to take the lead.

However, all of these devices need to have some form of connectivity, resulting in significant security issues that businesses need to consider.

Progress and standards

The underlying principle of M2M communications isn't particularly new, as similar technology has been used for decades at power stations, water utilities, building control and management systems, and the like, usually in the more recognisable form of supervisory control and data acquisition (SCADA) systems. However, according to engineering manager Aviv Abramovich from Check Point, these systems are typically custom implementations, often running proprietary operating systems, and without any particular standard to follow.

"We're in that creative curve, where people are looking to capitalise on the opportunity."

"They weren't designed with security in mind when they were designed. The designer did not expect them to necessarily be connected to the internet [or] a public access network. They probably more anticipated that they would be behind a secure network, and they made some assumptions on how it works," Abramovich said.

"You look at CT scanners, you look at MRI scanners, you look at dialysis machines, and all these kinds of medical devices: they're on an internet. They talk IP, and they have massively vulnerable operating systems. They're running embedded versions of Windows."

Curiously, while King sees off-the-shelf operating systems such as Windows as making devices more vulnerable, Abramovich thinks that the opposite is more often true, since there is more support from vendors, and more frequent patches than systems that were written once and long forgotten.

"With smart meters, and to an extent ATMs, and to an extent SCADA systems, the rollout of patches and updates tends to be slower than you would normally have compared with your home PC, where you get a normal update every week or so or every month," Abramovich said.

Read this

Like the operating system debate, while most experts see a role in the use of M2M-specific standards, their effectiveness is yet to be seen.

Ian Yip, who is NetIQ's product and business manager for its Identity, Security & Governance portfolios, said that he is positive that in recognition of security becoming a hot issue, many in the industry, and especially those in the academic field, are working toward standards that could be adopted to govern M2M communications.

"There's working groups, there's varying protocols, there's a lightweight version of IPv6 you can use on M2M type of communications, but it's not full IPv6," Yip said.

"If you look for things and discussions online or in publications in this area, a lot of the information is from universities or research groups. Companies are starting to look at it, but only if they have a business case to do it."

Yip said that these standards now have a greater focus on security, with many aiming to get it right while they can, rather than repeat the mistakes of utilities before them.

"Security is part of the discussion, because everyone who does the research around this is educated enough to understand the implications of not building security into M2M protocols, M2M standards, M2M communication upfront. We made mistakes on the internet, and now we're having to retrofit security, and with M2M you're even more exposed. So, thankfully, they're trying to deal with it upfront," Yip said.

"There's never been a standard that's obviated all security concerns."

While King applauded the initiative of addressing security from the get-go, he also expressed his doubts at how effective such standards might be, stating that what works in theory isn't always practical to implement.

"You have one of two things that come out of standards bodies — and I'm not belittling standards efforts at all here — but typically, they are too strong and thus hard to adopt, or too weak and thus incomplete. That said, it always comes down to implementation. In my experience, there's never been a standard that's obviated all security concerns.

Likewise, Oracle vice-president of Strategic Programs, Industries & Exalogic Michael Counsel said that it is too early to pick a "winner" in terms of a standard that addresses security.

"We need to see the whole picture before we can really think about whether or not we've satisfied the risk requirements of our consumer or the organisation of the customers that are using it. It's going to be some time before there's enough of the tooling, enough standardisation, that you cover all bases," Counsel said.

Watch the video

To him, the whole picture includes those inventors and forward-thinking engineers who are coming up with new uses for the technology in order to judge what is really needed for security in these standards.

"We're in that creative curve, where people are looking to capitalise on the opportunity, and those customers and those great inventors will be looking at ways to utilise it. They'll be looking at solving their problem, and any de facto would-be standards would actually still be lagging behind the creative process that's going on in their labs right now."

It's entirely possible that despite the work by research groups, standards and possibly security could be circumvented entirely if a powerful enough company stepped up, according to Yip.

"A certain large one comes to mind in the shape of a fruit. They could potentially do it — they've got enough money to do it — if they want, but there is a risk of getting into it too fast, especially when things like the standards aren't quite set yet, and the security mechanisms haven't been quite worked out yet," he said.

"It's either going to take a standard for the industry to agree on, or a very powerful vendor to make things work, so that everyone kind of says, 'Well, that works, so I'm just going to use that for the pure ease of use.' It might be completely proprietary, but all we really care about is that stuff works and stuff's secure, in that order, unfortunately."

New attacks and challenges

With the introduction of new devices and technology, the type of attacks that businesses will experience are also going to change. One of the new challenges that businesses will have to face is the need to increase their focus on physical attacks on devices, such as those in remote locations.

"If companies have ruled out security upfront, I'd really question the maturity of those organisations."

Counsel said that businesses would have to look at physical security to prevent unauthorised access to devices left out in the field, but that access considerations still need to be considered in the event that physical measures also fail.

"You don't want to have that machine compromised, and have a whole bunch of spurious messages coming in," he said, highlighting that these considerations need to be thought of in advance, rather than after security is compromised.

"Every architecture I've ever seen, security must be designed upfront and considered. If companies have ruled out security upfront, I'd really question the maturity of those organisations [and] whether they are ready for the M2M story.

"It's a complete risk perspective. It'll be the remote location management house handling the office. I can see convergence of authentication, GPS technology, and M2M. The next evolution."

Traditional disruptive attacks like denial of service (DoS) could have new consequences, Yip said. Many field-based devices will be powered from batteries.

"It's even easier when power is at a premium, because of the fact that something needs to respond to a request, be it legitimate or not, [and that] takes power."

Read this

Yip said that DoS attacks could be designed to increase processor usage, thus draining a device's battery prematurely and ensuring that it stays offline or out of contact. Previously, attackers needed to keep up their attack, limiting the number of targets that they could simultaneously force offline, or find an exploit that would cause a specific service to crash. But when the device runs off batteries, attackers don't need to do anything particularly technical, and get the added bonus of forcing all services on the device offline.

Encrypting information also tends to be a processor-intensive task, meaning that devices may need to be selective as to what they encrypt, as opposed to the web's trend toward full end-to-end encryption.

"You have to minimise power usage, which also means you can't waste too much of it screwing around with encryption. That's actually one of the main challenges. If your processor and [thus] battery is doing all of this encryption activity all the time, pretty soon your device will have no power to do anything," he said.

"Unless nanotechnology and battery manufacturing increases as per Moore's Law, it's going to be a huge issue."

Counsel stressed that the problem existing in the bring-your-own-device (BYOD) and asset-management spheres — remotely wiping lost or stolen hardware — will also carry over to M2M devices if they are physically compromised. This may lead certain businesses to adopt a "mission impossible" policy, where once a device has performed its task, it may need to destroy the data it contains.

"Unless nanotechnology and battery manufacturing increases as per Moore's Law, it's going to be a huge issue."

"You don't want to have devices with any kind of identification left lying around, so you need to have effective disposal or self-disposal processes built in to those protocols. As soon as they're decommissioned or powered on without have being turned on for some period of time, they'll need to actually effectively cater for their own security remotely."

This could include M2M devices using their sensors as a method of determining when it has been stolen, assuming that false data is not being fed back to its owners.

"It might be the device starts off by saying, 'I know I'm being configured to be in location so much northern, eastern, and height.' It gets locked in and configured, and when it first starts up or it changes location, it sends an alert by the same mechanism so if it physically changes location, unless it has been configured to, it actually broadcasts both the GPS location, plus the M2M diagnosis process," Counsel said.

Security barriers to M2M adoption

With the 30 billion to 50 billion devices predicted for 2020, a large part of the problem will be the management of each individual end point, and the complexity that comes with that.

"There needs to be new business models, new ways of managing."

Verizon Business' vice-president for Strategy and Development in the Asia-Pacific region, Robert Le Busque, pointed to policy as still being critically important, regardless of what is being connected to the network.

"If it has an IP address, regardless of whether it's fixed or mobile or a device, it needs a security protocol, and that security policy should be in line with the fully blown policy that the enterprise has," Le Busque said.

He also pointed to reducing the complexity of managing a huge number of devices as being an issue that the industry would need to solve.

"As an enterprise, or as an organisation that looks to use M2M, how do you scale appropriately to be able to manage that away? Under that management is not just security; it's how do you manage the lifecycle, and then how do you manage your diagnostics.

"There needs to be new business models, new ways of managing that completely. Ultimately, it's about trying to make protocols and technology simpler and repeatable."

King took a different view, however, and conceded the fight to secure every device. He said that while the approach of securing the end point may have worked in the desktop era, it is near impossible to do so for the millions of devices that might need to be managed.

Who's selling M2M?

"In the old days, you could do device-based security, because all those devices were the same. Now you've got iOS, Android, Microsoft on the mobile device. You've got Apple, Linux, Microsoft on the desktop or laptop device. This device proliferation just highlights the fact that attempting to do any of this stuff on the device if you are a corporate entity is extremely difficult."

King said that the one thing these devices have in common is the network they are on, and, as such, the network would be a bottleneck for preventing widespread use of M2M, unless it were used as the place to implement security.

"The place to exercise security in the internet of things is on the internet, not the things. That may be the only thing you've got control over."

However, networks continue to be characterised as security weak points, with Abramovich pointing out that the slow transition from IPv4 networks to IPv6 could harm M2M uptake.

With IPv4 addresses nearing exhaustion, networks simply won't have enough addresses to assign to the explosion of devices unless they transition to IPv6. Abramovich said that in some circumstances, this limitation could be circumvented by using private IPv4 address spaces, but create more complex problems when attempting to connect the private network to the rest of the internet and subsequently route traffic.

Abramovich also said that IPv6's limited use, compared to IPv4, means that it could have further vulnerabilities that haven't been discovered, unlike IPv4, which has stood up to hackers for a significantly longer period.

"The place to exercise security in the internet of things is on the internet, not the things."

"When IPv6 was first introduced, we have seen cases where there were vulnerabilities and issues that were already long gone, extinct from IPv4-based networking, reintroduced in IPv6. The IPv4 IP stack in most modern equipment [and] modern operating systems is fairly strong. With IPv6, there are still a lot of holes that hackers will discover over time [and] once hackers sink their teeth into it, they'll probably find a lot more things that could potentially go wrong," Abramovich said.

Yip also highlighted that the issue with attempting to secure each end point is that certificate management will become a serious issue as they are updated or revoked.

"A core part of security working, specifically for confidentiality, to ensure secure communications ... that's all based on encryption certificates and that sort of thing. The management of certificates is going to become an issue when it comes to that many devices, because certificates expire and then you've got to restore them or refresh them, and there's all sorts of trust relationships that you have to re-establish," Yip said.

Read this

Other barriers to entry will be less technical and more about the applications that M2M technology will be used in. According to Yip, some industry sectors will be slower to adopt M2M technologies than others. He said that the first to use such technology would continue to be utilities, while manufacturers for white goods could follow, but emphasised that any vendor entering the market will need to have a very strong business case.

"If you can actually measure a business case or business saving in putting these kind of things in, then that's where management will sign up and say, 'sure,' but if it's just for us, as consumers, to have an easier way to check out, then it may be hard to fund."

Another security issue that could bring M2M to a halt is the lack of skilled, experienced implementers when it comes to rolling out a fleet of M2M devices. King said that because it is such a relatively new area for certain businesses, those that are currently doing it haven't learned the important lessons from the failures of SCADA systems in the utilities space.

"They are not the folks that have earned their scars, if you'll permit the analogy, in network security in the first place," he said.

Counsel agreed.

"It really is about having people who have been there, seen the problem, [and have] experienced the scars on their back. If you bring someone who is inexperienced in this, who hasn't had the background working with companies that don't have the background in this area, I think you're going to hit those same issues and repeat problems," he said. Getting advice from organisations that are looking at related areas can be the key to success.